The IEEE802.16 is a standard formulated by the Institute of Electrical and Electronics Engineers (IEEE) in December 2001 for providing the last-mile wireless broadband access in a Metropolitan Area Network (MAN).
Meanwhile, multitudinous equipment and construction providers make up a Worldwide Interoperability for Microwave Access (WiMAX) organization for speeding up the deployment of the IEEE802.16-based wireless broadband networks by ensuring compatibility and interoperability of the wireless broadband access equipment. Therefore, a system for implementing wireless broadband access based on the 802.16 series is generally called a WiMAX system.
With the boom of Internet services and the popularization of wireless networks, mobile subscribers impose higher and higher security requirements on the wireless system. Nowadays, operators not only need to handle device authentication, user authentication, and service authorization, but also need to pay massive attention to the setup of a security channel between a mobile subscriber and an Access Point (AP) or Base Station (BS), the switching of confidential information, the confidential channel between a BS and an authenticator, the confidential channel between an authenticator and an Authentication Authorization Accounting (AAA) server, and the switching of confidential information, which are not necessarily considered in traditional dedicated networks. Therefore, a WiMAX network is in security network architecture without considering other internal devices in the access network, as shown in FIG. 1 or FIG. 2.
In the centralized architecture shown in FIG. 1, the authenticator and the BS are located in different physical entities, the functions of an authenticator and a key distributor are implemented in the authenticator, and the functions of authentication relay and key receiver are implemented in the BS.
In the distributed network architecture shown in FIG. 2, the authenticator and the BS are located in the same physical entity. This entity implements the functions of an authenticator, authentication relay, key distributor and key receiver.
Described below are the functions of the Network Elements (NEs), including logical NEs, in FIG. 1 and FIG. 2.
BS: A BS provides a security channel between a BS and a Mobile Station (MS) for compression and encryption of air interface data, and provides switching of confidential information between the BS and MS.
Authenticator: An authenticator provides proxy functions for the AAA function entity of the MS, and is implemented in the physical entity of the key distributor.
Authentication relay: An authentication relay implements relay of authentication requests and response messages in the authentication process.
Key distributor: A key distributor is implemented in the physical entity of the authenticator. According to the peer root key information for communication with the MS provided by the AAA server, the key distributor generates an air interface Authentication Key (AK) shared between the BS and the MS, and distributes the AK onto the key receiver.
Key receiver: A key receiver works in a BS to receive the AK generated and sent by the key distributor, and derive other keys between the BS and MS.
Besides, the complete architecture of a security network needs to further include an AAA server and an MS in the back-end network. The AAA server performs authentication, authorization and accounting for the MS, and exchanges the information required for generating keys with the MS according to key generation mechanism agreed with the MS. Such information is exchanged before the security channel is set up. Therefore, the key algorithms applied between the AAA server and the MS need to ensure that disclosure of information does not affect the security mechanism. The functions of an AAA server are to:
perform authentication, authorization, and accounting for an MS;
generate and distribute root key information to an authenticator; and
notify the authenticator and other NEs in time of the consequence caused by information change, when the user information changes.
The MS initiates authentication and authorization in the security architecture, exchanges the information required for generating root keys with the AAA server, generates root keys, and generates the AK required for confidentiality on an air interface and other derived key information according to the root key.
In the network architecture, the function entities related to a MIP include: Mobile Node (MN), namely, MS; Foreign Agent (FA); and Home Agent (HA). The MN originates a MIP registration request to the HA through an FA. After receiving the MIP registration request, the HA makes the Care-of-Address (CoA) of the MN correspond to the Home Address (HoA). All data packets received by the HA subsequently are forwarded to the CoA address, namely, FA address in the Mobile Internet Protocol version 4, MIPv4, if the destination address of the data packet is the HoA. In order to ensure security, a MIP message generally carries an Authentication Extension (AE), for example, the authentication extension “MN-HA-AE” between the MN and the MA. When the HA receives a MIP registration request that carries an MN-HA-AE, the HA calculates out a local authentication value according to the known key information, and then compares it with the MN-HA-AE carried in the data packet. If the local authentication value matches the MN-HA-AE, the authentication succeeds, and the MIP registration request is handled; otherwise, the MIP registration request is rejected.
In the WiMAX, the MIP comes in two forms as shown in FIG. 3a and FIG. 3b: Client MIP (CMIP), and Proxy MIP (PMIP). The terminal that supports the MIP protocol works in the CMIP mode. Conversely, if the terminal does not support the MIP protocol, the network creates a PMIP-client entity for implementing the functions of the MIP.
Currently, the Network Authentication Server (NAS) maintains the lifecycle of the HA-RK. Once the lifecycle of the HA-RK expires, the NAS requests a new HA-RK and relevant information from the AAA server that allocates the HA-RK.
However, a time gap exists between expiry of the old HA-RK and obtaining of the new HA-RK. During the gap, no MIP registration can be handled, which brings a certain delay in some scenarios and affects the MIP registration process.
Besides, the HA-RK needs to be delivered in every Extensible Authentication Protocol (EAP) process, thus leading to low efficiency of the EAP process.